Home / Blog / How to Delete a User on Linux (and Remove Every Trace)

How to Delete a User on Linux (and Remove Every Trace)

A shell prompt in a terminal window on a Linux computer.
Fatmawati Achmad Zaenuri/Shutterstock

Deleting a person on Linux entails greater than you suppose. If you happen to’re a system administrator, you’ll need to purge all traces of the account and its entry out of your programs. We’ll present you the steps to take.

If you happen to simply need to delete a person account out of your system and aren’t involved about ending any operating processes and different cleanup duties, comply with the steps within the “Deleting the Consumer Account” part beneath. You’ll want the deluser command on Debian-based distributions and the userdel command on different Linux distributions.

Consumer Accounts on Linux

Ever for the reason that first time-sharing programs appeared within the early 1960s and introduced with them the potential for a number of customers to work on a single pc, there’s been a must isolate and compartmentalize the recordsdata and information of every person from all the opposite customers. And so person accounts—and passwords—had been born.

Consumer accounts have an administrative overhead. They have to be created when the person first wants entry to the pc. They have to be eliminated when that entry is now not required. On Linux, there’s a sequence of steps that needs to be adopted with a purpose to appropriately and methodically take away the person, their recordsdata, and their account from the pc.

If you happen to’re the system administrator that accountability falls to you. Right here’s the right way to go about it.

Our Situation

There’s any variety of causes an account would possibly have to be deleted. A employees member is perhaps transferring to a special crew or leaving the corporate altogether. The account might need been arrange for a brief time period collaboration with a customer from one other firm. Staff-ups are frequent in academia, the place analysis initiatives can span departments, totally different universities, and even industrial entities. On the conclusion of the venture, the system administrator has to carry out the housekeeping and take away pointless accounts.

The worst-case state of affairs is when somebody leaves beneath a cloud due to a misdemeanor. Such occasions often occur out of the blue, with little fore-warning. That provides the system administrator little or no time to plan, and an urgency to get the account locked, closed and deleted—with a duplicate of the person’s recordsdata backed up in case they’re wanted for any post-closure forensics.

In our state of affairs, we’ll faux {that a} person, Eric, has performed one thing that warrants his quick removing from the premises. At this second he’s unaware of this, he’s nonetheless working, and logged in. As quickly as you give the nod to safety he’s going to be escorted from the constructing.

Every little thing’s set. All eyes are on you.

Test the Login

Let’s see if he actually is logged in and, if he’s, what number of periods he’s working with. The who command will checklist lively periods.


who in a terminal window

Eric is logged in as soon as.  Let’s see what processes he’s operating.

Reviewing The Consumer’s Processes

We will use the ps command to checklist the processes this person is operating. The -u (person) possibility lets us inform ps to limit its output to the processes operating beneath the possession of that person account.

ps -u eric

ps -u eric in a terminal window

We will see the identical processes with extra info utilizing the prime command. prime additionally has an -U (person) possibility to limit the output to the processes owned by a single person. Notice that this time it’s an uppercase “U.”

prime -U eric

top -U eric in a terminal window

We will see the reminiscence and CPU utilization of every activity, and may shortly search for something with suspicious exercise. We’re about to forcibly kill all of his processes, so it’s most secure to take a second to shortly overview the processes, and verify and make it possible for different customers usually are not going to be inconvenienced once you terminate person account eric‘s processes.

Output from top -U eric in a terminal window

It doesn’t seem like he’s doing a lot, simply utilizing much less to view a file. We’re protected to proceed. However earlier than we kill his processes, we’ll freeze the account by locking the password.

RELATED: Learn how to Use the ps Command to Monitor Linux Processes

Locking the Account

We’ll lock the account earlier than we kill the processes as a result of once we kill the processes it should log off the person. If we’ve already modified his password, he received’t be capable to log again in.

The encrypted person passwords are saved within the /and many others/shadow file. You wouldn’t usually trouble with these subsequent steps, however with the intention to see what occurs within the /and many others/shadow file once you lock the account we’ll take a slight detour. We will use the next command to take a look at the primary two fields of the entry for the eric person account.

sudo awk -F: '/eric/ {print $1,$2}' /and many others/shadow

sudo awk -F: '/eric/ {print $1,$2}' /etc/shadow in a terminal window

The awk command parses fields from textual content recordsdata and optionally manipulates them. We’re utilizing the -F (area separator) possibility to inform awk that the file makes use of a colon ” : ” to separate the fields. We’re going to seek for a line with the sample “eric” in it. For matching traces, we’ll print the primary and second fields. These are the account identify and the encrypted password.

The entry for person account eric is printed for us.

To lock the account we use the passwd command.  We’ll use the -l (lock) possibility and go within the identify of the person account to lock.

sudo passwd -l eric

sudo passwd -l eric in a terminal window

If we verify the /and many others/passwd file once more, we’ll see what’s occurred.

sudo awk -F: '/eric/ {print $1,$2}' /and many others/shadow

sudo awk -F: '/eric/ {print $1,$2}' /etc/shadow in a terminal window

An exclamation mark has been added to the beginning of the encrypted password. It doesn’t overwrite the primary character, it’s simply added to the beginning of the password. That’s all that’s required to stop a person from having the ability to log in to that account.

Now that we’ve prevented the person from logging again in, we are able to kill his processes and log him out.

Killing the Processes

There are alternative ways to kill a person’s processes, however the command proven right here is broadly out there and is a extra fashionable implementation than a number of the alternate options. The pkill command will discover and kill processes. We’re passing within the KILL sign, and utilizing the -u (person) possibility.

sudo pkill -KILL -u eric

sudo pkill -KILL -u eric in a terminal window

You’re returned to the command immediate in a decidedly anti-climactic style. To verify one thing occurred let’s verify who once more:


who in a terminal window

His session is gone. He’s been logged off and his processes have been stopped. That’s taken a number of the urgency out of the scenario. Now we are able to loosen up a bit and keep on with the remainder of the mopping up as safety takes a stroll over to Eric’s desk.

RELATED: Learn how to Kill Processes From the Linux Terminal

Archiving the Consumer’s residence Listing

It’s not out of the query that in a state of affairs equivalent to this, entry to the person’s recordsdata will probably be required sooner or later. Both as a part of an investigation or just because their substitute might must refer again to their predecessor’s work. We’ll use the tar command to archive their whole residence listing.

The choices we’re utilizing are:

  • c: Create an archive file.
  • f: Use the required filename for the identify of the archive.
  • j: Use bzip2 compression.
  • v: Present verbose output because the archive is created.
sudo tar cfjv eric-20200820.tar.bz /residence/eric

sudo tar cfjv eric-20200820.tar.bz /home/eric  in a terminal window

A variety of display output will scroll within the terminal window. To verify the archive has been created, use the ls command. We’re utilizing the -l (lengthy format) and -h (human-readable) choices.

ls -lh eric-20200802.tar.bz

sudo tar cfjv eric-20200820.tar.bz /home/eric  in a terminal window

A file of 722 MB has been created. This may be copied someplace protected for later overview.

Eradicating cron Jobs

We’d higher verify in case there are any cron jobs scheduled for person account eric. A cron job is a command that’s triggered at specified instances or intervals. We will verify if there are any cron jobs scheduled for this person account through the use of ls:

sudo ls -lh /var/spool/cron/crontabs/eric

sudo ls -lh /var/spool/cron/crontabs/eric in a terminal window

If something exists on this location it means there are cron jobs queued for that person account. We will delete them with this crontab command. The -r (take away) possibility will take away the roles, and the -u (person) possibility tells crontab whose jobs to take away.

sudo crontab -r -u eric

sudo crontab -r -u eric in a terminal window

The roles are silently deleted. For all we all know, if Eric had suspected he was about to be evicted he might need scheduled a malicious job. This step is finest apply.

Eradicating Print Jobs

Maybe the person had pending print jobs? Simply to make sure, we are able to purge the print queue of any jobs belonging to person account eric. The lprm command removes jobs from the print queue. The -U (username) possibility allows you to take away jobs owned by the named person account:

lprm -U eric

lprm -U eric in a terminal window

The roles are eliminated and you might be returned to the command line.

Deleting the Consumer Account

We’ve already backed up the recordsdata from the /residence/eric/ listing, so we are able to go forward and delete the person account and delete the /residence/eric/ listing on the identical time.

The command to make use of depends upon which distribution of Linux you’re utilizing. For Debian based mostly Linux distributions, the command is deluser, and for the remainder of the Linux world, it’s userdel.

Truly, on Ubuntu each instructions can be found. I half-expected one to be an alias of the opposite, however they’re distinct binaries.

sort deluser
sort userdel

type deluser in a terminal window

Though they’re each out there, the advice is to make use of deluser on Debian-derived distributions:

userdel is a low degree utility for eradicating customers. On Debian, directors ought to often use deluser(8) as an alternative.”

That’s clear sufficient, so the command to make use of on this Ubuntu pc is deluser. As a result of we additionally need their residence listing to be eliminated we’re utilizing the --remove-home flag:

sudo deluser --remove-home eric

sudo deluser --remove-home eric in a terminal window

The command to make use of for non-Debian distributions is userdel, with the --remove flag:

sudo userdel --remove eric

All traces of person account eric have been erased. We will verify that the /residence/eric/listing has been eliminated:

ls /residence

ls /home in a terminal window

The eric group has additionally been eliminated as a result of the person account eric was the one entry in it. We will verify this fairly simply by piping the contents of /and many others/group via grep:

sudo much less /and many others/group | grep eric

sudo less /etc/group | grep eric in a terminal window

It’s a Wrap

Eric, for his sins, is gone. Safety remains to be strolling him out of the constructing and also you’ve already secured and archived his recordsdata, deleted his account, and purged the system of any remnants.

Accuracy all the time trumps pace. Be sure you take into account every step earlier than you’re taking it. You don’t need somebody strolling as much as your desk and saying “No, the opposite Eric.”


About Dave McKay

Check Also

How to Customize Google Forms With Themes, Images, and Fonts

Google Kinds is the simplest approach to make a fillable kind on-line. Most Google Kinds …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.